This is my personal blog, a home for the various things that I want to stand on a soapbox about.

Password Policy

Why we have a policy

We take password security very seriously here. For this reason, we enforce a couple of rules. While they may seem inconvenient, they are done to prevent any possibility of compromise to your account. For many people, your account on a minor, spurious blog may seem unimportant, however in recent research, 87% of young people reuse the same password across multiple platforms. This means that if one, comparitively small system is breached, you can lose access to many accounts. By setting strict password rules, we ensure that it is very difficult to brute force attack our systems. The rules for this site were decided on the basis of Jeff Atwood's advice. And for anyone who doesn't know who he is, he co-founded Stack Overflow, so I'm going to trust his advice!

The Rules

1: All passwords must be longer than 10 characters.
This is to increase the search space required to conduct a brute force attack. If you are using a password which contains letters, numbers and symbols, every additional character multiplies the time required to brute force attack it by around 80 times.

2: No password on the list of 1 million most used passwords can be used.
This, on paper sounds like a draconian requirement, but in reality once you exclude the ones under 10 characters (rule 1), there are around 130,000 remaining. The rational behind this is that, if a brute force attacker cannot try to guess every short password, they will instead start to try the most common passwords. By disallowing both, it makes it very difficult for an attacker to gain access.

3: Your password cannot be equal to your username, your email address, or this URL.
This is a fairly obvious rule, but I'm spelling it out to avoid any doubt